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Abstract 



We present algorithms revealing new families of polynomials allowing sub-exponential 
detection of p-adic rational roots, relative to the sparse encoding. For instance, we show 
that the case of honest n-variate (n + l)-nomials is doable in NP and, for p exceeding 
the Newton polytope volume and not dividing any coefficient, in constant time. Fur- 
thermore, using the theory of linear forms in p-adic logarithms, we prove that the case 
■ of trinomials in one variable can be done in NP. The best previous complexity bounds 

for these problems were EXPTIME or worse. Finally, we prove that detecting p-adic 
rational roots for sparse polynomials in one variable is NP-hard with respect to ran- 
domized reductions. The last proof makes use of an efficient construction of primes in 
certain arithmetic progressions. The smallest n where detecting p-adic rational roots 
for n-variate sparse polynomials is NP-hard appears to have been unknown. 

> ' 

o . 

1 Introduction 

in 

Paralleling earlier results over the real numbers |BRS09| . we study the complexity of detecting 
p-adic rational roots for sparse polynomials. We find complexity lower bounds over Q p 
hitherto unattainable over R, as well as new algorithms over Q p with complexity close to 
that of recent algorithms over R (see Theorem 11.21 below). 

More precisely, for any commutative ring R with multiplicative identity, we let FEAS/? 
- the R-feasibility problem (a.k.a. Hilbert's Tenth Problem over R |DLPvG00] ) — denote 
the problem of deciding whether an input polynomial system F G [j k ngN (Z[xi, . . . , x n ]) k 
has a root in R n . Observe that FEASr, FEASq, and {FEASf 9 } 9 a prime power are central prob- 
lems respectively in algorithmic real algebraic geometry, algorithmic number theory, and 
cryptography. 

Algorithmic results over the p-adics are useful in many computational areas: polynomial- 
time factoring algorithms over Q[xi] [LLL82j . computational complexity |Roj02| , studying 
prime ideals in number fields |Coh94t Ch. 4 & 6], elliptic curve cryptography |Lau04] . and 
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the computation of zeta functions |CDV06t ILW08t ICha08| . Also, much work has gone into 
using p-adic methods to algorithmically detect rational points on algebraic plane curves via 
variations of the Hasse Principl^\ (see, e.g., |C-T98l IPoo06] ). However, our knowledge of 



the complexity of deciding the existence of solutions for sparse polynomial equations over 
Q p is surprisingly coarse: good bounds for the number of solutions over Q p in one variable 
weren't even known until the late 1990s |Len9 9bj. 

Definition 1.1 Let FEASQ primcs denote the problem of deciding, for an input Laurent polyno- 
mial system F G U/cneN (^[^l" 1 ) • • • ^n 1 ])^ an d an input prime p, whether F has a root in 
Qp. Also let P C N denote the set of primes, p G P, and, when X is a family of such pairs 
(F,p), we let FEASq rimes (I) denote the restriction of FEASq rimes to inputs inX. 

When a,j G Z n , the notations aj = (aij, • • • , a n ,j), x aj = ' J • • • ^iT' 3 , and x=(xx, . . . , x n ) 
will be understood. Also, when f(x) '-=YlT=i c i xaj c j e ^\{0} f or a Mj> an d the aj G Z n are 
pair-wise distinct, we call f an n-variate m-nomial, and we define Supp(/) := {ai, . . . , a m } 
to be the support of f. We also define Newt(/) — the (standard) Newton polytope of f - 
to be the convex hull oj§ Supp(/) and let Vf denote its n-dimensional volume, normalized so 
that [0, l] n has volume 1. 

Let size(/) := YhLi 1o S2 [( 2 + NX 2 + l a i,i|) • • • (2 + \a n ,i\)] and size(F) := Yh=i size(/j). 
The underlying input sizes for FEASq imcs and FEASQ primes (I) shall then be size p (F) :=size(F) + logp, 
and we use size(F) as the input size for FEASq p for any prime p. Finally, we let T n ^ m 
denote the set of all n-variate m-nomials and, for any m>n + l, we let J 7 * m C T n ^ m de- 
note the subset consisting of those f with Vf > We call any f ' G J 7 * m an honest n-variate 
m-nomial (or honestly n-variatej. o 

As an example, it is clear that upon substituting y% := x\x2x\x\, the dishonestly 4-variate 
trinomial —1 + lx\x2x\x\ — A?>x^ % x^ x 2 ^ 7 (with support contained in a line segment) has 
a root in (Q*) 4 iff the honest univariate trinomial —1 + 1y\ — 432/^ 9 has a root in Q*. Via 
the use of Hermite Normal Form (as in Section [3] below), it is then easy to see that there 
is no loss of generality in restricting to J~n n +k ("with k>l) when studying the algorithmic 
complexity of sparse polynomials. Note also that the degree, deg /, of a polynomial / can 
sometimes be exponential in size(/) for certain families of /, e.g., ^>2 slzc ( 1+5:c i 6 + 1 i)- 16 

While there are now randomized algorithms for factoring / G Zj[xi] over Qpfsci] with 
expected complexity polynomial in deg(/) + size p (/) [CG00] (see also |Chi91j ). no such 
algorithms are known to have complexity polynomial in size p (/) alone. Our main theorem 
below shows that such algorithms are hard to derive because finding just the linear factors 
is already essentially equivalent to the P=NP problem. Nevertheless, we obtain fast new 
algorithms for interesting sub-cases of FEASq rimea (U ngN Z[xi, . . . , x n ]) x P). 

Theorem 1.2 

0. FEASQ primcs (J"i !m x P)gP form G {0,1, 2}. 1. For any fixed prime p we have FEAS Qp (Ji, 3 ) GNP. 
2. There is a countable union of algebraic hypersurfaces £ S Z[xi] x P, with natural density 



1 If F(x\, . . . , x n ) =0 is any polynomial equation and Zk is its zero set in K n , then the Hasse Principle 
is the assumption that [Zc smooth, Zk^0, and Zq p ^0 for all primes p] implies Zq^=0 as well. The Hasse 
Principle is a theorem when Zc is a quadric hypersurface or a curve of genus zero, but fails in subtle ways 
already for curves of genus one (see, e.g., |Poo01aj ). 

2 i.e., smallest convex set containing... 



2 



0, such that FEAS Qprimcs ((Z[xi] X P) \ £) GNP. 

3. r«;FEAS Qprimes ((U neN ^, n+1 ) xP)GNP. 

(b) Letting Q:={c + c x x\ + ■■■ + c n x 2 n | neN; c 0i . . . ,c n eZ \ {0}} x P, we have FEAS Qprimes (Q) GP. 

(c) Letting Wc (UneN-^nn+i) x ^ denote the subset consisting of those (f,p) with n>2, 
p > (n!Vp) 2 ^ n-1 ^ ; and p noi dividing n\Vp or any coefficient of f , we have 
that f always has a root in Q™ /or any (f,p) G W, i.e., FEASQ primes (W) is doable in 
constant time. 

4. //FEAS Qpr . moB (Z[a;] x P)gZPP then NPCZPP. 

5. If the Wagstaff Conjecture is true, then FEAS<Q primos (Z[a;] x P) G P P = NP ; i.e., we 
can strengthen Assertion (4) above. 

The aforementioned complexity classes, are reviewed briefly in Section [2] (see also [Pap95 
for an excellent textbook treatment). The Wagstaff Conjecture, dating back to 1979 (see, 
e.g., [BS96[ Conj. 8.5.10, pg. 224]), is the assertion that the least prime congruent to k mod 
N is 0((p(N) log 2 N), where f(N) is the number of integers in {1, . . . , N} relatively prime 
to N. This conjectural bound is (unfortunately) much stronger than the known implications 
of the Generalized Riemann Hypothesis. 

Let us now briefly highlight what is new in our main theorem, and how the real case 
comparesJl First, one can in fact prove FEASiR(|J ngN T* n+1 ) G NC 1 (i.e., a much stronger 
real analogue of Assertion (3)) via some elementary tricks involving monomial changes of 
variables |BRS09[ Thm. 1.3]. Unfortunately, these tricks are obstructed over Q p (see Ex- 
ample 11.51 below), thus making Assertion (3) harder to prove. As evinced by Parts (b) 
and (c) of Assertion (3), algorithms for FEASuj primcs ((UneN -^nn+i) x ^) dearly complement 
classical results on quadratic forms (see, e.g., |Ser73[ Ch. IV]) and the Weil Conjectures 
(see, e.g., |Wei49t IFK88] ). More to the point, the best previous complexity upper bound 
for FEASq imcs ( (U ngN J^nn+i) x appears to be quadruply exponential, via an extension of 
Hensel's Lemma by Birch and McCann |BMc67] . 

While the real analogue of Assertion (0) is not hard to prove, FEAS^J-i^) GP (a stronger 
real analogue for Assertion (1)) was proved only recently |BRS09[ Thm. 1.3] using linear 
forms in logarithms |Nes03j . It is thus worth noting that the proof of Assertion (1) (in 
Section EJ) uses linear forms in p-adic logarithms |Yu94j at a critical juncture, and suggests 
an approach to a significant speed-up. 

Corollary 1.3 Suppose that for allp&F and£>l, FEAS z / p f Z (J r i i 3) admits a (deterministic) 
algorithm 3 with complexity (p+£+size(/))° ( - 1 ^. Then for any fixed prime p, FEASq p (J 7 i i 3) E P- 

The truth of the hypothesis to our corollary above appears to be an open question. (Note 
that brute-force search easily leads to an algorithm of complexity p e size(f)°( 1 \ so the 
main issue here is the dependence on I.) Paraphrased in our notation, Erich Kaltofen 
asked in 2003 whether FEAS^/ P z(^i,3) admits a (deterministic) algorithm with complexity 
(log(p) + size(/))°( 1 ) [Kal03] Pl 

3 A weaker version of Theorem 11.21 without Assertions (1) and (3), appeared recently in an extended 
abstract [AIRRlOj . 

4 All algorithms discussed here are based on Turing machines |Pa p95| . 

5 David A. Cox also independently asked Rojas the same question in august of 2004. 
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The best previous complexity upper bound for FEASq rimcs (Z[xi] X P) relative to the sparse 
input size appears to have been EXPTIME |MW99j . In particular, 

FEASq^JJ^ x P)eNP and FEASn^Ji^eNP are still open questions |BRS091 Sec. 1.2]. 
High probability speed-ups over R paralleling Assertion (2) are also unknown at this time. 
For clarity, here is an example illustrating the zero-density exception in Assertion (2). 

Example 1.4 Let T denote the family of pairs (f,p) eZ[xi] x P with f(x\)=a + bx] 1 + cx\ 7 + xf 
and let T* :—T \ S. Then there is a sparse 61 x 61 structured matrix S (cf. Lemma \4-3\ in 
Section^ below), whose entries lie in {0, 1, 31, a, b, lib, c, 17c}, such that (f,p) G T* -<=>- 
p /detiS. So by Theorem 1 1-4 FEASq rimcs (T*) G NP, and Corollary \4- 6] in Section^ below 
tells us that for large coefficients, T* occupies almost all of T . Ln particular, letting T(H) 
(resp. T*(H)) denote those pairs (f,p) in T (resp. T*) with \a\, \b\, \c\,p<H , we obtain 

#T*{H) > /. _ 244 \ ( i _ 1+61 log(4H) log h \ 
#T(H) —\ L 2H+l) y 1 H J- 

Ln particular, one can check via Maple that 

(-973 + 21X1 1 - 2x\ 7 + xf,p)eT* 

for all but 352 primes p. o 

As for lower bounds, the least n making FEASq rimcs (Z[xi, . . . , x n ] x P) NP-hard appears 
to have been unknown. Assertions (4) and (5) thus come close to settling this problem. 
In particular, while is not hard to show that the full problem FEASq rimcs is NP-hard, the 
proofs of Assertions (4) and (5) make essential use of a deep result of Alford, Granville, and 
Pomerance [AGP94] on primes in random arithmetic progressions. We detail this connection 
below. 

1.1 Related Work, a Topological Observation, Weil's Conjecture, 
and Primes in Arithmetic Progression 

Let us first recall that Emil Artin conjectured around 1935 that, for any prime p, homoge- 
neous polynomials of degree d in n>d 2 variables always have non-trivial roots in [Art65j. 
(The polynomials x\ + ■ ■ • + x 2 n show that Artin's conjecture is resoundingly false over the 
real numbers.) Artin's conjecture was already known to be true for d = 2 [Has24j and, in 
1952, the d = 3 case was proved by Lewis [Lew52j . However, in 1966, Terjanian disproved 
the conjecture via an example with (p, d, n) = (2, 4, 18). 

The Ax-Kochen Theorem from 1965 provided a valid correction of Artin's conjecture: 
for any d, there is a constant pd such that for all primes p>Pd, any homogeneous degree d 
polynomial in n>d 2 variables has a p-adic rational root [A K651 IHT3 10J. The hard cases of 
FEASq rimes then appear to consist of high degree polynomials with few variables and p small. 

It is interesting to observe that while it is easier for a polynomial in many variables to 
have roots over Q p than over M, deciding the existence of roots appears to be much harder 
over Q p than over M. In particular, while Tarski showed in 1939 that FEASm is decidable 
[Tar51j . FEASq wasn't shown to be decidable until work of Cohen in the 1960s [Coh69j. 
Now, the best general complexity upper bounds appear to be P SPACE for FEASjr |Can88j 
and quadruply exponential for FEASq p [B Mc67l IGre74j . 

While the univariate problems FEASr (.7-1,2) and FEASQ primcs (J r i i 2) are now both known to 
be in P, their natural multivariate extensions FEASij(|J ngN J^n ,n+i) and FEASq p (U n eN n+i ) 
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already carry nuances distinguishing the real and p-adic settings: topological differences 
between the real and p-adic zero sets of polynomials in J 7 * n+1 force the underlying feasibility 
algorithms to differ. Concretely, positive zero sets for polynomials in J 7 * n+1 are always either 
empty or non-compact. This in turn allows one to solve FEAS]R([J ngN J~nn+x) by simply 
checking signs of coefficients, independent of the exponents [BRS091 Thm. 1.3]. On the 
other hand, solving FEASq p (|J neN J 7 * n+1 ) depends critically on the exponents (see Corollary 
13.21 of Section [3]), and the underlying hypersurfaces in Q™ can sometimes be a single isolated 
point. 

Example 1.5 Consider f{xi,X2) := 1 + 2xf — 3x2- Then it is easy to see that (1, 1) is the 
unique root of f in F 2 .. Via Hensel's Lemma (see Section® below), the root (1,1) GFy can 
then be lifted to a unique root of f in Q 2 -. In particular, by checking valuations, any root of 
f in Q 2 must be the lift of some root of f m F 2 , and thus (1,1) is the only root of f in Q 2 . 

o 

Our last example illustrated the importance of finite fields in studying p-adic rational 
roots. Deligne's Theorem on zeta functions over finite fields (nee the Weil Conjectures) is 
the definitive statement on the connection between point counts over finite fields and complex 
geometry. The central result that originally motivated the Weil Conjectures will also prove 
useful in our study of FEASo 



Theorem 1.6 { Wei^9 , Pg. 502] Let p be any priftie, g?i, . . . , d n G N 7 and let Co, . . . , c n be 
integers not divisible by p. Then, defining f(x) :=cq + cixf 1 + ■ ■ • + c n x dn , the number, N, 
of roots of f fflF; satisfies \N - p^ 1 ] < (fl^=i(scd(d h p - 1) - l))^"" 1 )/ 2 . ■ 

Finally, it is worth noting that our NP-hardness proof requires the efficient construction 
of primes in certain arithmetic progressions. The following result, inspired by earlier work 
of von zur Gathen, Karpinski, and Shparlinski, may be of independent interest. 

Theorem 1.7 For any 5>0, ee (0,1/2), andn&N, we can find — within 

O ((n/e) 3 2 +s + (n log(n) + log(l/£)) 7+5 ) 

randomized bit operations — a sequence P = (pj)™ =1 of consecutive primes and c G N such 
that p: = 1 + cn™ =1 pj satisfies logp = 0(nlog(n) + log(l/e)) and, with probability > 1 — e, 
p is prime. 

1.2 Future Directions 

Since NP-hardness is easier to prove for detecting roots of univariate polynomials over Q p 
than over IR, we anticipate that a similar phenomenon occurs for multivariate polynomials. 

Conjecture 1 For any fixed prime p we have that FEASq p (lJ ngN J 7 * n+1 ) is NP-hard. 

It is already known that FEAS R ( U T* , ) is NP-hard for any e > |BRS09} 
Thm. 1.3]. In particular, it is likely one can modify the proof of the latter statement to at 
least prove that FEASqJ 1J J 7 * , s > ) is NP-hard for any fixed prime p. 

EN , 0<e'<£ n ' n + n 
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Further speed-ups for detecting p-adic rational roots of ra-variate (n + l)-nomials appear 
to hinge on a better understanding of the analogous problem over certain finite rings. In 
particular, the truth of the following conjecture would imply FEASq rimes (.F* n+1 ) GP for any 
fixed n. 

Conjecture 2 Suppose £,nEN andpEF. Then FEkS z / p i z (J-'* n+1 ) admits a (deterministic) 
algorithm with complexity (log(p) + i + size(f))°^ n \ 

Note that brute-force search easily attains a complexity bound of p en size(f)°^ so the key 
difficulty is the dependence on p l . 

Finally, it is worth noting that FEAS R (J r * n+2 ) G P for any fixed neN |BRS09l Thm. 1.3]. 
In fact, the proof there inspired our proof of Assertion (1) of Theorem ll.2[ so it would be 
most interesting to extend our techniques to the multivariate case. 

Conjecture 3 For any fixed n£N and peP we have FEASq p (J 7 * n+2 ) GNP. 

We review some general background in Section [2] before proving our main results. Some 
of the results we'll need will appear just before their use in the proofs of Assertions (0) and 
(3) in Section [3], the proof of Assertion (2) in Section HI the proof of Assertion (1) in Section 
[5j the proof of Theorem 11.71 in Section I6.2[ and the proofs of Assertions (4) and (5) in Section |6j 



2 Complexity Classes and £>-adic Basics 

Let us first recall briefly the following complexity classes (see also |Pap95| for an excellent 
textbook treatment): 

NC 1 The family of functions computable by Boolean circuits with size polynomial in the 
input size and depth 0(log 4 InputSize). 

P The family of decision problems which can be done within time polynomial in the input 
size. 

ZPP The family of decision problems admitting a randomized polynomial-time algorithm 
giving a correct answer, or a report of failure, the latter occuring with probability < |. 

NP The family of decision problems where a "Yes" answer can be certified within time 
polynomial in the input size. 

PSPACE The family of decision problems solvable within time polynomial in the input size, 
provided a number of processors exponential in the input size is allowed. 

EXPTIME The family of decision problems solvable within time exponential in the input size. 



6 Note that the underlying polynomial depends only on the problem in question (e.g., matrix inversion, 
shortest path finding, primality detection) and not the particular instance of the problem. 
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The following containments are standard: 

NC 1 CPC ZPP CNPC PSPACE C EXPTIME. 

The properness of each adjacent inclusion above (and even the properness of P C PSPACE) 
is a major open problem |Pap95|. 

Recall that for any ring R, we denote its unit group by R*. For any prime p and xGZ, 
recall that the p-adic valuation, ord p x, is the greatest k such that p k \x. We can extend ord p (-) 
to Q by ord p | :=ord p (a) — ord p (fe) for any a, &GZ; and we let \x\ p :=p~ ordpX denote the p-adic 
norm. The norm | ■ | p defines a natural metric satisfying the ultrametric inequality and Q p 
is, to put it tersely, the completion of Q with respect to this metric. This metric, along with 
ordp(-), extends naturally to the field of p-adic complex numbers C p , which is the metric 
completion of the algebraic closure of Q p |RobOO| Ch. 3]. 

It will be useful to recall some classical invariants for treating quadratic polynomials over Q p . 



Definition 2.1 \Ser73 , Ch. I-IV, pp. 3-39] For any prime p and a G Z we define the 
Legendre symbol, ^o be +1 or —1 according as a has a square root mod p or not. 

Also, for any 6 G Z, we let the (p-adic) Hilbert symbol, (a,b) p , be +1 or —1 according as 
ax 2 + by 2 = z 2 has a solution in Pq^ or not. Finally, for any f(x) = Cq + C\x\ + • • • + c n x 2 n E 
Z[xi, . . . ,x n ], we define df.= YY] =1 Ci and £f-^Y[i<i<j< n ( c ^ c j)p- ° 



Theorem 2.2 ; Ser73 , Thm. 1, pg. 20 & Cor., pp. 31] Following the notation of Definition 
\2.1l let j: = ord p a and k:=ord p b. Then the Hilbert symbol (a, b) p is exactly 

2 ) {^) k (Vf)\ or 

(H) W here Z(a,b) : = +j +k (&&=±) mod 2, 

according asp ^ 2 or p = 1. 

Finally, f has a root in Q p iff one of the following conditions holds: 

1. n = l, /i:=ord p (co/ci) is even, and y z^Iis^l j — \ 

2. n = 2 and (— c , —df) p = Sf (viewing c and df as elements of Q P /(Q P ) 2 ). 

3. n = 3 and either c^^df orco = df and (—l,—df)=Ef (viewing cq and df as elements of 

%/(%?)■ 

4. n>A. ■ 

A key tool we will use throughout this paper is HenseVs Lemma, suitably extended to 
multivariate Laurent polynomials. 

Hensel's Lemma Suppose / G Z p [xf 1 , . . . , x^ 1 ] and ( G Z^ satisfies ord p Jj-(Co) = I < +oo 
for some i G {1, . . . , n}, and /(Co) = (mod p 2i+1 ). Then there is a root (El*™ of f with 
C^Co (mod/) and O rd p f-(0 =ord p f-(Co) ■ ■ 

The special case of polynomials appears as Theorem 1 on the bottom of Page 14 of [Her 73 J . 
(See also |BMc67].) The proof there extends almost verbatim to Laurent polynomials. 
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3 From Binomials to (n + l)-nomials: Proving 
Assertions (0) and (3) 

Let us first recall the following standard lemma on taking radicals in certain finite groups. 

Lemma 3.1 (See, e.g., [BS96, Thm. 5.7.2 & Thru. 5.6.2, pg. 109]) Given any cyclic group 
G, aEG, and an integer d, the following 3 conditions are equivalent: 

1. The equation x d = a has a solution. 

2. The order of a divides J^Fn^ ■ 

J gcd(d,#G) 
3 a #G/gcd(d,#G) = L 

Also, ¥* is cyclic for any prime power q, and (Z/j) Z)* is cyclic for any (p,£) with p an odd 
prime or £<2. Finally, for £> 3, (Z/2%* = |±1 , ±5, ±5 2 , ±5 3 , . . . , ±5 2 '~ 2 " 1 mod 2 e J. ■ 

A direct consequence of Lemma I3TT1 and Hensel's Lemma is the following characterization 
of univariate binomials with p-adic rational roots. 

Corollary 3.2 Suppose cGQ* and g?gZ\ {0}. Let k: = ord p c, £:=ord p d, and (if p = 2 and 

d is even) d' = (^) 1 (mod 2 2l ~ l ). Then the equation x d = c has a solution in Q p iff d\ord p c 

and one of the following two conditions hold: 
/ \p e {p— i) 

(a) p is odd and (^hj = 1 (mod p 2£+1 ). 

d , d / 2 ma X {<-2,0} 

(b) p = 2 and either (i) d is odd, or (ii) i^j =1 (mod 8) and f^H = 1 (mod 2 2m ). 

In particular, these conditions can be checked in time polynomial in log(d) + log(p) when 
logc= (log(cf) +\og(p))°( 1 \ Furthermore, when ord p c = 0, x d = c has a root in Q p iff x d = c 
has a root in (Z/p 2m Z)* . 

Proof: Replacing i by we can clearly assume d > 0. Clearly, any p-adic root ( of x d — c 
satisfies dord p ( = ord p c. This accounts for the condition preceding Conditions (a) and (b). 

Replacing x by p ord P c / d x (which clearly preserves the existence of roots in Q*) we can 
assume further that ord p c = ord P C = 0. Moreover, ord p /'(C) = ord p (d) + (d — i)ord P C = o r d p <i. 
So by Hensel's Lemma, x d — c has a root in Q* iff x d — c has a root in (Z/p 2£+1 Z)*. Lemma 
13.11 then immediately accounts for Condition (a) when p is odd. 

Condition (b) then follows routinely: First, one observes that exponentiating by an odd 
power is an automorphism of (Z/2 2f+1 )*, and thus x d — c has a root in (Z/2 2£+1 Z)* iff x 2 —c d 
does. Should £ = then one has a root regardless of c. Otherwise, c d must be a square for 
there to be a root. Since ord p c = 0, c is odd and |BS96t Ex. 38, pg. 192] tells us that c d is 
a square in (Z/2^Z)* iff c d = 1 (mod 8). Invoking Lemma [3.11 once more on the the cyclic 
subgroup {1, 5 2 , 5 4 , 5 6 , . . . , 5 2 ~ 2 }, it is clear that Condition (b) is exactly what we need 
when p = 2. 

To conclude, recall that arithmetic in Z/p 2 ^ +1 Z can be done in time polynomial in log(j/) 
[BS961 Ch. 5]. Recall also that, in any ring, x n can be computed using just O(logn) bit 
operations and multiplication of powers of x, via recursive squaring [BS96, Thm. 5.4.1, pg. 
103]. Our conditions are then clearly simple enough to yield the asserted time bound. 

The final assertion follows immediately from setting k = in the conditions we've just 
derived. ■ 
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At this point, the proof of Assertion (0) of Theorem 11.21 is trivial. By combining our 
last result with a classical integral matrix factorization, Assertion (3) then also becomes 
easy to prove. So let us first motivate the connection between n-variate (n + l)-nomials and 
matrices. 

Proposition 3.3 Suppose K is any field, Cq, . . . , c n E K with Ci ^ for some i E {1, . . . , n}, 

CL\ , . . . , CL n E Z" are linearly independent vectors, A is the nxn matrix with columns a±, . . . , a n , 
and f(x) := c + C\X ai + • • ■ + c n x an . Then, letting x = {x\, . . . , x n ) E (K*) n and fi := for 
all i, we have: 

[f 1 (x),...J n (x)] = [c 1 x a \...,c n x a "}A T 

X n 

In particular, all the roots of f in (K*) n are non-degenerate. 

Proof: The first assertion is routine. For the second assertion, observe that if (E (K*) n is 
any root of / then, thanks to our first assertion, the vector [/i(C)> • • • , fn{()] can not vanish 
because det/l^O. ■ 

Definition 3.4 Let Z nxn denote the set of n x n matrices with all entries integral, and let 
GL n (Z) denote the set of all matrices in Z nxn with determinant ±1 (the set o/unimodular 
matrices). Recall that any nxn matrix [u^] with = for all i>j is called upper triangular. 

Given any MeZ nxn , we then call an identity of the form UM = H , with H= [hij] eZ nxn 
upper triangular and U G GL n (Z) ; a Hermite factorization of M. Also, if we have the 
following conditions in addition: 

1. >0 for all i,j. 

2. for all i, if j is the smallest f such that hiji^O then h^ > hi>j for all i'<i. 

then we call H the Hermite normal form of M. 

Also, given any identity of the form UMV = S with U, V £ GL n (Z) and S diagonal a 
Smith factorization. In particular, if S = [sij] and we require additionally that >0 and 
s i,*l s i-f-i,iH-i f or a M «6 {1, •■•,»} (setting s n+ i in+ i := 0), then such a factorization for M is 
unique and is called the Smith factorization. 

Finally, defining x A = (rr" 1 ' 1 • • ■ in"' 1 , • • • , x ai ' n ■ ■ ■ C'"), we call any map defined by 
x i — y x a monomial change of variables, o 

Proposition 3.5 We have that x AB = (x A ) B for any A, B E Z nxn . Also, for any field K, 
the map defined by m(x)=x u , for any unimodular matrix UE7* nxn , is an automorphism of 
(K*) n . Finally, for any column vector v E Z n , the smallest valuation of an entry of Uv is 
k <^=^> the smallest valuation of an entry of v is k. ■ 

Theorem 3.6 IStoOO, Ch. 6 & 8, pg. 128] For any A = [a M ] E Z nxn , the Hermite and 
Smith factorizations of A can be computed within 0(n 3 ' 376 log 2 (nmaxjj |a$j|)) bit operations. 
Furthermore, the entries of all matrices in the Hermite and Smith factorizations have bit size 
0(n log(n maxjj |a,j |)). ■ 
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Lemma 3.7 Following the notation of Definition \3.4\ and Propositio ns. 5[ suppose det A^O, 



Cj, . . . , c n G Q*, c :— (cj, . . . , c„), c' :— (c\, . . . , c' n ) :— i-^s^i > • • • > p ordp Cn J ? ; — maxj ordpS^, 

and /et t>i,...,t> n 6e £/ie columns of V. Then x A = c has a solution in (Q P ) n iff (a) 
(ordpCi, . . . ,ordpC n )t>j = mo<i Sj.j /or all i and (b) x A = c' has a solution in ((Z/p 2L+1 )*) n . In 
particular, the existence of a solution in (Q P ) n for x A = c can be decided in time polynomial 
in n and log(nmaxy |a*,jl). 

Proof: The necessity of Condition (a) follows immediately from Proposition 13.51 upon ob- 
serving that the valuations of the vector x A are exactly the entries of [ord p xi, . . . , ordpO^] A 
Conversely, should Condition (a) hold, we can reduce to the case where ord p Cj = for all i. 
So let us assume the last condition. 

Observe now that x A = c iff x AV = c'. Upon substituting x:=y u , we see that the latter 
equation holds iff y UAV = c v . In other words, y s = c v . By Proposition 13.51 the last system 
has a solution in (Q*) n iff the first system does. By Corollary I3.2l we thus see that Condition 
(b) is necessary and sufficient. 

To prove the asserted complexity bound, note that we can find U, V, and S within the 
asserted time bound, thanks to Theorem 13.61 Note also that by recursive squaring (and the 
observation that det A = Yli=i s m)> we can nn d the p-parts of the and thus compute L 
in polynomial-time. So then, applying Corollary 13.21 n times, we can decide in P whether 
y s = c v has a root in (Q*) n . ■ 

A final ingredient we will need is a method to turn roots of honest n-variate (n + 1)- 
nomials on coordinate subspaces to roots in the algebraic torus. 

Lemma 3.8 Suppose cq, . . . , Ck+i G Q*, ai, . . . , G Z fc are linearly independent vectors, 
a := (ai, . . . , atfc+i) G Z fc+1 with a>k+i > 0, and f(x) := Co + C\X ai + • ■ ■ + CkX ak + cx a has a root 
in (Zip \ {0}) k x {0}. Then f has a non-degenerate root in (Z p \ {0}) fc+1 . ■ 

Proof: Let C= (Ci, • • • , Cfc, 0) G (Z p \ {0}) fc x {0} be the stated root of / and let A denote the 
k x k matrix whose columns are ai, . . . , a&. By Proposition 13.31 we then have that . . . , Cfc) 
is a non-degenerate root of f(x): = c + c\X ai + • • ■ + CkX ak . 

To conclude, observe that J^(Ci, ••-,(*) = ^(Ci, • • • > Ck, 0) for all i G {1, . . . , k}. So ( 
is a non-degenerate root of /. By the Implicit Function Theorem for analytic (i.e., C°°) 
functions over |Glo06[ Thm. 7.4, pg. 237], there must then be a (non-degenerate) root 
(Ci, • • • 5 C'kiV 1 ) °f / f° r an y sufficiently large t G N, with Q — > Q for all i G {1, . . . , k} as 
£ — > +oo. Thus, we can find a root of / in (Z p \ {0}) k+1 . ■ 

Remark 3.9 Note that Example II . 51 from Section XlA\ shows that the converse of Lemma \3.8\ 
need not hold. On the other hand, over the real numbers, both the corresponding analogue of 
Lemma Wl^ and its converse hold [BRS09, Cor. 2.6]. o 

Henceforth, we will let O denote the origin in whatever vector space we are working with. 



Definition 3.10 Suppose K is a field, Cq, . . . , c n G K* , the vectors do, ■ • ■ , a n G Z n are such 
that a\ — a , . . . ,a n — a are linearly independent, and f(x) := c x a ° + c\X ax + ■ • • + c n x an . 
We then call any sub-summand of the form f(x) = Q 1 x ai i + • • • + Ci r x air , with {i\, . . . , i r } of 
cardinality r>l, an initial term polynomial of f. o 
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Remark 3.11 Note that setting any subset of variables equal to in f — with the result- 
ing Laurent polynomial still well-defined and not identically — results in an initial term 
polynomial of f . o 

Corollary 3.12 Suppose f G C p [xf 1 , . . . , x^ 1 ] has positive-dimensional Newton polytope 
with O as one of its vertices. Then f has a root in (Qp) n -<=>- some initial term polynomial 
of f with at least 2 terms has a root in (Qp) n - 

Proof: The (=>) direction is trivial since / is an initial term polynomial by default. So let 
us focus on the (<=) direction. 

By assumption, we can then write f(x) = Co + C\X ai + • • • + c n x a " with cq, . . . , c n G C*. 
Let £g (Q*) n be a root of some initial term polynomial / of /. By Proposition 13.51 f(x) has 
a root in (Q*)» f(x u ) has a root in (Q;) n . So via the Hermite Factorization, we may 
assume that f(x) = c + CiX ai + ■ • • + c n x an and the matrix A whose columns are ai, . . . ,a n 
is upper-triangular. In other words, we may assume that / is independent of its last n — r 
variables, for some r G {1, . . . , n — 1}. So then, we may assume that £g (Q*) r x {0} n ~ r and 
/ G Cplxf 1 , . . . ,xf x ]. By multiplying certain rows of A by —1 we can then clearly assume 
that ( G (Z p \ {0}) r x {0} n ~ r . By Lemma I3~51 (and induction) we then obtain that / must 
have a root in (Q*) n . ■ 

3.1 The Proofs of Assertions (0) and (3) of Theorem [L2J 

Assertion (0): First note that the case m<l is trivial: such a univariate m-nomial has no 
roots in Q p iff it is a nonzero constant. 

The case m = 2 then follows immediately from Corollary 13.21 ■ 

Assertion (3): 

Part (a): First note that if C = (Ci? ■ ■ ■ > Cn) ^Qp is a ro °t of / then all the exponents of Xi in 
/ must be nonnegative for Q = 0. We can then assume that, for all such i, some exponent of 
Xi must be 0. (Otherwise, / would vanish on the entire hyperplane {?/j = 0}, and the strict 
positivity of these exponents of x^ in / would be checkable a priori in quadratic time.) Note 
also that ( being a root of / is unaffected if we multiply / by any power of Xj, provided 

We can then clearly assume that / has a nonzero constant term, write f(x) = 
Co + cix ai + ■ ■ • + c n x an for some Co, . . . , c n G Z \ {0}, and let A denote the matrix with 
columns Oi, . . . , CL n . (Note also that enforcing our assumption that / have a nonzero con- 
stant term induces at worst a factor of 2 growth in absolute values of the entries of A.) By 
Corollary 13.121 it then suffices to certify the existence of a root of / in (Qp) n . 

Set L := maxjordp(cj) + maxjordpS^ + 1 where the s^j denote the diagonal entries of 
the Smith Normal Form of A. Our certificate for / having a root in (Q*) n will then be a 
root fj,Q G (Z/p 2L+1 Z) n \ {O} of the mod p 2L+1 reduction of h(x) : = gix^ 1 , . . . , x^ 1 ), for some 
choice of reciprocals, where g(x) : = x~ ai f(x) for some i, and / is an initial term polynomial 
of / with at least 2 terms. We will now show that / has a root £g (Qp)™ iff a certificate of 
the preceding form exists. 

To prove the (=>) direction, let us first clarify the choice of reciprocals in gixf 1 , . . . , x^ 1 ): 
we place an exponent of —1 for all j where Q G Q p \ Z p . Clearly then, with the preceding 
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choice of reciprocals, /(xf 1 , . . . , x^ 1 ) has a root /i G (Z p \ {0})". The choice of i to define 
h(x) is also simple to pin down: pick any i with ord p (/i ai ) minimal. The roots of h(x) : = 
x~ a " i f(x 1 1 , . . . , x^ 1 ) in (Q*) n are clearly independent of i. 

To clarify the choice of / let us first write h(x) : = 7o + 7i£ ai + ■ • • + 7 n x a ". The ji are then 
a re-ordering of the q, the a, are differences of columns of A, and the matrix A' with columns 
cki, . . . , a n is non-singular and has entries no larger in absolute value than twice those of A. 
We also have that ord p (/x ai ) > for all i by construction. Moreover, by the ultrametric 
property (applied to the sum 7 + (ci/i Ql + • ■ ■ + 7 n /i a ")), the root fj, of h must satisfy 
ord p (7i/i ai ) <ord p 7o < maxfc ordpCfc <L for some i. (Otherwise ord p /i(//) = ord P 7o < +00). By 
Propositions 13.31 and 13.51 and the Smith factorization of the matrix A', we must then have 
ord p hj(n) <ord p (7o) + max, ord p (2sj i j) <L = 0(size(/)) for some j. 

Clearly then, there are u ii: . . . , u ir G Z p \ {0} with r > 1, L > ordpW^. > ord P 7j. for all j, 

7o + u h + " " " + u i r = 0) an d (A 4 " 41 , • • • , A* air ') = ( — , ..., — ). So define / to be the sum of 
terms of / corresponding to picking the i\, . . . ,i r terms of h. By Lemma [3.7[ \x then has a 
well-defined mod p 2L+1 reduction /a e (Z/p 2L+1 Z)™ \ {O} that is a root of the mod p 2L+1 
reduction of h. So the (=>) direction is proved. 

To prove the (<=) direction, let us suppose that the mod p 2L+1 reduction of h(x) : = 
gixf 1 , . . . ,x ±1 ) has a root yU G (Z/p 2L+1 Z) n \ {O} for some choice of signs, some choice 
of i, and some choice of initial term polynomial / of / so that g(x) =x~ ai f(x). Writing 

h(x) =70 + 7i 1 x a,; i -| -i r j ir x<xi r as before, it is clear that ord p (7i/i ai ) <ord P 7o for some i by 

the ultrametric inequality. So then, by Proposition 13.31 ord p h'(fi) <L, and then by Hensel's 
Lemma, h has a root fi' GZ^ \ {O}. By Corollary 13.121 h(x) : = 7o + 7iX ai + • — h 7 n x an must 
then have a root fi G (Z p \ {O})". So by the definition of h, it is then clear that defining 
Ci — fh 1 f° r a suitable choice of signs, (:= (Ci, • • • , ( n ) is a root of /. ■ 
Part (b): Since the Legendre symbol can be evaluated within O ((log a) (log p)) bit 

operations [BS96, Thm. 5.9.3, pg. 113], the criteria from Theorem 12.21 can clearly be checked 
in time polynomial in size(/). So we are done. ■ 

Part (c): Via the Smith Normal Form, Proposition 13.51 and Corollary 13.121 we can reduce 
to the special case detailed in Theorem 11.61 i.e., we may assume that we have an instance 
of the form f(x) = cq + Cixf 1 + • ■ ■ + c n x dn with d\, . . . , d n G N, and thus n\Vf = niLi d% > 

nr =1 (gcd(^, P -i)-i). 

By the succinct certificates we used to prove Part (a), we see that the existence of a root 
of / in Q™ is implied by the existence of a root of / in F" if ord p |co| = . . . = ord p |c n | = 
ord p (n\Vf) = 0. By Theorem 11.61 a root for / in is guaranteed if n>2, p does not divide 
any q, and p> (n\Vf) 2 ^ n ^ 1 K So we are done. ■ 

4 Discriminants, £>-adic Newton Polygons, and 
Assertion (2) 

The intuition behind the speed-up of Assertion (2) is that the hardness of instances of 
FEASq rimea (Z[xi] x P) is governed by numerical conditioning, quite similar to the sense long 
known in numerical linear algebra (and extended more recently to real feasibility [CS99]). 
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More concretely, the classical fact that Newton iteration converges more quickly for a root 
CeC of / with /'(C) having large norm (i.e., a well- conditioned root) persists over Q p . 

To prepare for our next proof, let us first clarify the statement about natural density 
in Assertion (2) of Theorem 11.21 

Definition 4.1 Letting # denote set cardinality, we say that S*CP has (natural) density // 
iff li m WW} 

Now let (Z x (NU {0}))°° denote the set of all infinite sequences of pairs ((q, Oj))^ with 
Ci = a,i = for % sufficiently large. Note then that Z[xi] admits a natural embedding into 
(Z x (NU {0}))°° by considering coefficient-exponent pairs in order of increasing exponents, 
e.g., a + bx" + x 2001 h-> ((a, 0), (6, 99), (1, 2001), (0, 0), (0, 0), . . .). Then natural density for 
a set of pairs X C Z[xi] x P then simply means the corresponding natural density within 
(Z x (N U {0}))°° x P. 

The exceptional set to Assertion (2) can be made more precise once one introduces the 
A- discriminant. But first we must introduce the resultant and some quantitative estimates. 



Definition 4.2 (See, e.g., \GKZ94\ Ch. 12, Sec. 1, pp. 397-402].) Suppose 
f(x%) = a + ■ ■ ■ + a d x\ and g(x\) = b + ■ • • + b d >xf are polynomials with indeterminate 
coefficients. We define their Sylvester matrix to be the (d + d') x (d + d') matrix 
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Lemma 4.3 Following the notation of Definition \4 . 2\ assume f ', g for some field K , 

and that a d and b d > are not both 0. Then f — g — has a root in the algebraic closure of K 

iff ' H(d,d')U ', g) = 0. More generally, we have 1l(d,d')(J ', g) — a d Yl d(C) where the product 

/(C)=o 

counts multiplicity. Finally, if we assume further that f and g have complex coefficients 
of absolute value < H, and f (resp. g) has exactly m (resp. m! ) monomial terms, then 
\K{d,d>) {f, g) I < m d 'l 2 m ld l 2 H d+d ' . ■ 

The first 2 assertions are classical (see, e.g., |GKZ94l Ch. 12, Sec. 1, pp. 397-402] and [RS021 
pg. 9]). The last assertion follows easily from Hadamard's Inequality (see, e.g., |Mig82[ Thm. 
1, pg. 259]). 

We are now ready to introduce discriminants. 

Definition 4.4 For any field K , write any f e as f{x\) = Y^lLi c i x ¥ with < a± < 

■ ■ ■ <a m . Letting A = {ai, . . . , a m }, we then define the ^-discriminant of f , A^(/), to be 
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7?,- - n ( f -^J- / \ / „a m -a m _i 

where di := (a, — a\)/g for all i, f{x\) '■— YlT=i c i x T > an d 9 := gcd(a.2 -ai,...,a m - ai) fsee 
also \GKZ94\ Ch. 12, pp. 403-408]). Finally, ifci^O for all i, then we call Supp(/) : = 



{ai, . . . , a m } i/ie support of f . o 

Remark 4.5 iVote that when A — {0, . . . , d} we have A^(/) = TZ(d,d-i)(f, f')/cd, i.e., for 
dense polynomials, the A- discriminant agrees with the classical discriminant o 

The claim of natural density in Assertion (2) of Theorem 11.21 can then be made explicit 
as follows. 

Corollary 4.6 For any subset A = {ai, . . . , a m } CNU {0} with = ai < • • • < a m , let T4 

denote the family of pairs (f,p) G Z[xi] x P /(xi) = 5^i^=i c i x< i an d> ^ denote the 
subset of ' T4 consisting of those pairs (f,p) with p jfA^if)- Also let T^{H) (resp. T\(H)) 
denote those pairs (f,p) in T4 (resp. T\) where |cj| <H for all i G [m] and p<H. Finally, 
let d:=a m / gcd(a2, . . . , a m ). Then for all H>17 we have 

#TX(H) > f-t_ (2d-l)m \ (-> _ l+(2d-l)log(mH)logH \ 
#T A (H) - \ L 2H+1 ) \ L H )■ 

In particular, we will see in the proof of Assertion (2) of Theorem 11.21 that the exceptional 
set £ is merely the complement of the union IJ.4T4 as ^ ranges over all finite subsets of 
N U {0}. Our corollary above is proved in Section YH2\ 

Another bit of background we'll need to prove Assertion (2) of Theorem 11.21 is some 
arithmetic tropicalia. 

Definition 4.7 Given any polynomial /(xi) :=X)£Li c i x T GZ[xi], we define its p-adic New- 
ton polygon, Newt p (/), to be the convex hull of the points {(aj,ord p Ci) | % G {l,...,m}}. 
Also, a face of a polygon Pel 2 is called lower iff it has an inner normal with positive 
last coordinate, and the lower hull of P is simply the union of all its lower edges. Finally, 
the polynomial associated to summing the terms of f corresponding to points of the form 
(aj,ordpCj) lying on a lower face o/Newt p (/) is called a (p-adic) lower polynomial, o 

Example 4.8 For f( Xl ) := 36 - 8868x1 + 29305x? - 35310x? + 18240x? - 3646xf + 243x? ; 
the polygon Newt 3 (/) has exactly 3 lower 
edges and can easily be verified to resemble 
the illustration to the right. The polyno- 
mial f thus has exactly 2 lower binomials, 
and 1 lower trinomial, o 

A remarkable fact true over C p but false over C is that the norms of roots can be 
determined completely combinatorially. 

Lemma 4.9 (See, e.g., ]Rob00\ Ch. 6, sec. 1.6].) The number of roots of f in C p with 
valuation v, counting multiplicities, is exactly the horizontal length of the lower face of 
Newtp(/) with inner normal (v,l). M 

Example 4.10 In Example \4-8\ earlier, note that the 3 lower edges have respective horizontal 
lengths 2, 3, and 1, and inner normals (1,1), (0,1), and (—5,1). Lemma \4-9\ then tells us 
that f has exactly 6 roots in C3: 2 with 3-adic valuation 1, 3 with 3-adic valuation 0, and 
1 with 3-adic valuation —5. Indeed, one can check that the roots of f are exactly 6, 1, and 
2I3, with respective multiplicities 2, 3, and 1. o 
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4.1 The Proof of Assertion (2) of Theorem 11.21 



The existence of as a root is clearly checkable in constant time so we may again assume 
that / is not divisible by x\. Via the reciprocal polynomial f*(xi) := 2 deg ^/(l/a;i), it is 
then enough to show that, for most /, having a root in Z p admits a succinct certificate. 
As observed in the proof of Assertion (2), Newt p (/) can be computed in polynomial-time. 
Since ord p Cj < log p q < size(cj), note also that that every root (EC P of / satisfies |ord P C| < 
2maxj size(cj) <2size(/) <2size p (/). 

Since ord p (Z p ) = N U {0}, we can clearly assume that Newt p (/) has an edge with 
non-positive integral slope, for otherwise / would have no roots in Z p . Letting g(x\) : = 
f{x\)/x'i~, and ( 6 Z p be any p-adic integer root of /, note then that ord p /'(£) = 
(a x - l)ord p (C) + ord p £f(C). Note also that A^(/) = Res am , am _ ai (/, g) so if p J(A A (f) then / 
and g have no common roots in the algebraic closure of F p , by Lemma 14.31 In particular, 
pJ(A A (f) g(C)^0 mod p; and thus p]/A A (f, g) ord p f (0 = (fix - l)ord p (C). Further- 
more, by the convexity of the lower hull of Newt p (/), it is clear that ord p (£) < ordp6 °~ ordpC ' 
where (aj,ord p Cj) is the rightmost vertex of the lower edge of Newt p (/) with least (non- 
positive and integral) slope. Clearly then, ord p (C) < 2max ^ log p [fli . g Q p /\A A (f) ==>- 
ord p f(C)<2size(/). 

Our fraction of inputs admitting a succinct certificate will then correspond precisely to 
those (f,p) such that p)fA A (f). In particular, let us define £ to be the union of all pairs 
{f,p) such that p\A A (f), as A ranges over all finite subsets of N U {0}. It is then easily 
checked that S is a countable union of hypersurfaces, and the density statement follows 
immediately from Corollary 14.61 

Now fix £ = 4size(/) + l. Clearly then, by Hensel's Lemma, for any (f,p) G (Z[xi] xP)\£, / 
has a root (EZ P •<=>■ / has a root (oEZ/p e Z. Since \og(p e ) =0(size(/) logp) =0(size p (/) 2 ), 
and since arithmetic in 7Ljp l 7L can be done in time polynomial in log(p £ ) [BS96, Ch. 5], we 
have thus at last found our desired certificate: a root Co £ (Z/p^Z)* of / with £ = 4size(/) + 1. 



5 Degenerate Trinomials, Linear Forms in p-adic 
Logarithms, and Assertion (1) 

We will first need to recall the concept of a gcd-free basis. In essence, a gcd-free basis is 
nearly as powerful as factorization into primes, but is far easier to compute. 

Definition 5.1 ' L BS96, Sec. 8.4] For any subset {a\, . . . , ckat} C N, a gcd-free basis for 
{ax, . . .,a N } is a pair of sets ({^i} v i=1 , {eij}(ij)e[N\x[ri\) such that (V g cd (7i ; 7j) = 1 for all 
i^j, and (2) Oii = Y\ n - =l ^ 13 for alii. 

Theorem 5.2 Following the notation of Definition ^. 1\ we can compute a gcd-free basis for 
{«!, . . . , «tv} (with r\ linear in Af+maxj logajj in time linear in A^+maxj log 2 a.%. In particu- 

7 

lar, if Un G Z then we can decide a^ 1 ---a u ^ 1 = 1 in time linear in 

N + (maxj log(aj) + maxj log(-Uj)) 2 . ■ 
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The first assertion of Theorem [572] follows immediately from |BS96| Thm. 4.8.7, Sec. 4.8] and 
the naive bounds for the complexity of integer multiplication. The second assertion then 
follows immediately by checking whether the linear combinations YliLi e ij u i are an or n °t- 
We now make some final observations about the roots of trinomials before proving 
Assertion (1) of Theorem 11.21 

Corollary 5.3 Suppose f{x\) =c\ + c 2 x°f + c 3 x" 3 G F\ :3 , A: = {0, a 2 , a 3 }, 0<a 2 <a 3 , a 3 >3, 
and gcd(a2, 03) = 1. Then: 

(0) A A (f) = (a 3 ~ a 2 y^a<?cf - {-a^^cf. 

(1) A^(/)^0 -<=>- / has no degenerate roots. In which case, we also have 

M/)= (-] ffi n no- 

/(C)=o 

(2) Deciding whether f has a degenerate root in C p can be done in time polynomial in 
size p (/). 

(3) If f has a degenerate root CgC* then (C 2 , C 3 ) = ^r^j y~ % j ■ ^ n particular, such a 
( is unique and lies in Q. 

(4) The polynomial q(x\) := (a 3 — a 2 ) — a 3 x" 2 + a 2 x1 3 has 1 as its unique degenerate root and 

satisfies A {0j ... ja 3_ 2} (^^) = ±(a 2 a 3 (a 3 - a 2 )) a3+ ° (1) . 

Proof of Corollary 15.31 : 

Part (0): |GKZ94l Prop. 1.8, pg. 274]. ■ 

Part (1): The first assertion follows directly from Definition 14.41 and the vanishing criterion 
for Res( a3ia3 _ a2 ) from Lemma I4~3l To prove the second assertion, observe that the product 
formula from Lemma 14.31 implies that 

M/) = c?- a2 (n m = / 4 3 ~ a2 = (-i) a3 (ll/(o=o /'(0) / (ci/c 3 y>-\ m 

Part (2): From Part (1) it suffices to detect the vanishing of A A (f). However, while Part 
(0) implies that one can evaluate A A (f) with a small number of arithmetic operations, the 
bit-size of A A (f) can be quite large. Nevertheless, we can decide within time polynomial 
in size(/) whether these particular A A (f) vanish for integer q via gcd-free bases (invoking 
Theorem 15. 2p . ■ 

Part (3): It is easily checked that if ( G C p is a degenerate root of / then the vec- 
tor [ci, c 2 ( a2 , c 3 C a3 ] must be a right null vector for the matrix M :— \ ^ . Since 

U CL 2 CL 3 

[a 3 — a 2 , — a 3 , a 2 ] is clearly a right null vector for M, [ci, c 2 ( a2 , c 3 ( a3 } must then be a mutiple 
off a 3 — a 2, —a 3 , a 2 ]. Via the extended Euclidean algorithm [BS96,, Sec. 4.3], we can then find 
A and B (also of size polynomial in size(/)) with Aa 2 + Ba 3 = 1. So then we obtain that 

(c 2 <«A A (c 3 ^\ B - c i c h-( ~ a3 YV a2 ) B m 

\ ci j \ ci y cf +fl ^ \ a 3 -a 2 J \a3-a2 J 

Part (4): That 1 is a root of q is obvious. Uniqueness follows directly from Part (3) and 
our assumption that gcd(a 2 ,a 3 ) = 1. To prove the final assertion, first note that a routine 



q( x ) 
>-i) 

falling by another. Explicitly, 



long division reveals that (x-1) 2 nas coefficients rising by one arithmetic progression and then 
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q(x) 



/ a 2 -l 



(x-1) 2 



= 1 




(a 3 - a 2 )%x i - 1 + V (a 3 - a 2 + 1 - i)a 2 x a ^ 2M 



Definition 14.21 then implies that A{o,„,,a 3 -2} ( (a_i)3 J i s exactly ^ times the determinant 

of the following quasi- Toeplitz matrix which we will call At: 

0,3-0,2 2(a 3 -a 2 ) ••■ (a 2 - l)(a3 - a 2 ) (a 3 -a 2 )a 2 ••• 2a 2 a 2 ••• 

l-2-(a 3 -a 2 ) 2 -3 -(03-02) ■•• (o 2 - 2)(a 2 - l)(o 3 - o 2 ) (o 2 - l)(o 3 -a 2 )o 2 ■■■ (o 3 -2)-l-o 2 ■•• 

where there are exactly 03 — 3 (resp. a 3 — 2) shifts of the first (resp. second) detailed 
row. Letting f(x) := r^_Xi , note in particular that the entries of the first a 3 — 3 (resp. last 
a 3 — 2) rows correspond to the coefficients of x l f(x) (resp. x % f'(x)) for 2 G {0, . . . , a 3 — 4} 
(resp. i G {0, . . . , 0,3 — 3}). We can clearly replace any polynomial by itself plus a linear 
combination of the others and rebuild our matrix Ai with these new polynomials, leaving 
det Ai unchanged (thanks to invariance under elementary row operations). So let us now 
look for useful linear combinations of x l f and x^f. 
Observe that 

= Yl (° 2 ~ a ^ xi + Yl a2%i and ~~[ = a 2«3^ a2_1 + • • ■ + a 2 a 3 x a3 ~ 2 , 

i=0 i=a,2 

SO 

q(x) 1 xq'(x^ 



— = ^(a 2 -a 3 y. 



(x - 1) a 3 (x , 

Since (x — l)f(x) = it would thus be useful to obtain as a polynomial linear combi- 
nation of / and /'. Toward this end, observe that 

xf-f + 2/ = + 2f 

(x - l) 2 q' - 2{x - l)q 2(x - l)q 



{x — iy J [x 



[X - iyq' q' 



[x — I [x 



It is then prudent to replace each x l f row with the coefficients of 



for i G {0, . . . , a 3 — 5}. There are 0,3 — 4 such new rows, each divisible by 03 — a 2 , so 
(03 — g^) 0-3-4 divides det Ai. Similarly, we can replace each x l f row with the coefficients of 
x l (/' — xf — 2f) , for % G {0, . . . , a 3 — 4}. Each of these polynomials is divisible by a 2 a 3 . There 
are 03 — 3 of these rows — and they are distinct from the other a 3 — 4 rows we modified 
earlier — so (a 2 a 3 ) ai ~ 3 also divides det Ai. 

We are thus left with showing that the matrix whose rows correspond to the coefficient 
vectors of the polynomials 

x a, 2-l « 3 -5^2-l a 3 -4f o 2 -l a: a 3-°2-l a 2 +a 3 -5 x"3-°2-l a 3 -3 fl 

x-1 ' " * " ' x-1 ' X x-1 ;•••;»<' x _i ' J ' 

has determinant ±(a 2 a3) 0< ^ 1 \ Roughly, our last matrix has the following form: 
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a 3 - a 2 
1 



«2 



1 ■ •• 1 

2(a 3 - a 2 ) (a 3 - 2)a 2 

Via a simple sequence of 0(03) elementary row and column operations, restricted to subtrac- 
tions of a column from another column and subtractions of a row from another row, we can 
then reduce our matrix to a {2a^ — 5) x (2a^ — 5) permutation matrix with the 03— row and 
(2ci3 — 5)— row resembling the corresponding rows above. In particular, these 2 new rows 
have entries at worst 0(a 3 ) times larger than before. Clearly then, our final determinant is 
0(al(a 3 - a 2 ) 2 al 



: ^( a 2 a i)> an d w e are done. 



We now quote the following important result on lower binomials. 



Theorem 5.4 J All (A Thm. 4-5] Suppose (f,p) € Z[xi] x P ; (v, 1) is an inner normal to a 
lower edge E of Newt p (/), the lower polynomial g corresponding to E is a binomial with 



exponents {a^aj}, and p does not divide a; 
ordpC = v is exactly the number of roots of g in 



".1 ■ 



Then the number of roots C^Qp of f with 



Finally, we recall a deep theorem from Diophantine approximation that allows us to 
bound from above the p-adic valuation of certain high degree binomials. 



Yu's Theorem. \Yu94 , pg. 242] Suppose pGN is any prime; a±, . . . , a m are nonzero integers; 
and /3i, . . . , j3 m are integers not all zero. Then a^ 1 ■ ■ ■ a^ 1 ^ 1 implies that ord p ^af 1 • • • a^ 1 — 1 

/„,, . ,x \ 2(m+l) 

< 22000 (^=^) (p - 1) log(lOmA) max{3, logmax, |A|} UT=i I lo 

where h = max {log max j |aj|,logp} and the imaginary part of log lies in 



.at* 



-7T, 7T 



Let us call any Newt p (/) such that / has no lower m-nomials with m > 3 generic. 



Oppositely, we call Newt p (/) flat if it is a line segment. Finally, if p|(aj 



with {a i} a,j} 



the exponents of some lower binomial of / then we call Newt p (/) ramified. We will see later 
that certain ramified cases and flat cases are where one begins to see the subtleties behind 
proving FEASq p (J 7 i i 3) £P, including the need for Yu's Theorem above. 



5.1 The Proof of Assertion (1) of Theorem [L2] 

Our underlying certificate will ultimately be a root £0 6 Z/j/Z for / (or a slight variant 
thereof) with £ = 0(psize(/) 8 ). Certain cases will actually require such a high power of p and 
this appears to be difficult to avoid. 

Let us write f(xi) — c 1 + c 2 x" 2 + c 3 a;" 3 . Just as in Section 14.14 we ma Y assume c\ 7^ 
and reduce to certifying roots in Z p . We may also assume that the rightmost (or only) lower 
edge of / is a horizontal line segment at height 0. (And thus ord p ci > in particular.) 
This is because we can find the p-parts of ci,c 2 ,C3 in polynomial-time via gcd-free bases 
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(via recursive squaring), compute Newt p (/) in time polynomial in size p (/) (via standard 
convex hull algorithms, e.g., [Ede87j ). and then rescale / without increasing size(/). More 
precisely, if Newt p (/) has no lower edges of integral slope then we can immediately conclude 
that / has no roots in Q p by Lemma 14.91 So, replacing / by the reciprocal polynomial /* 
if necessary, we may assume that the rightmost lower edge of / has integral slope and then 

/ ordp(c2)-ordp(c 3 ) \ 

set g{x x ) : =p' md p^f[ p a 3 -a 2 Xl The lower hull of Newt p (g) then clearly has the 

desired shape, and it is clear that / has a root in Q p iff g has a root in Q p . In particular, it 
is easily checked that size (p) < size (/). 

To simplify our proof we will assume that gcd(a 2 ,a 3 ) = 1 (unless otherwise noted), and 
recover the case gcd(<22, as) > 1 at the very end of our proof. The vanishing of A^(/), which 
can be detected in P thanks to Corollary 15.31 then determines 2 cases: 

Case (a): A^(/)^0 

Since gcd(a2, a 3 ) = 1 we may clearly assume that p divides at most one of {02, a 3 , a 3 — a 2 }. 
The shape of the lower hull of Newt p (/) (which we've already observed can be computed in 
time polynomial in size p (/)) then determines 2 subcases: 

If Newt p (/) has lower hull a line segment then we may also assume (by rescaling / as 
detailed above) that p /fci,c 3 and e:=ord p c 2 >0. 

When p divides either 02 or 03 — 02 then we can easily find certificates for solvability of / 
over Q p : If e = then p j/A^(f) by Corollary 15.31 (since p J(a 3 ) and thus / has no degenerate 
roots mod p. So Hensel's Lemma implies that we can use a root of / in Z/pZ as a certificate 
for / having a root in Q p . If e > then we can in fact detect roots in Q p for / in P by the 
binomial case, thanks to Theorem 15.41 

So let us now assume p does not divide a 2 or a 3 — a 2 , and set e' := ord p a 3 . If e > e' 
then observe that f'(x) = a 3 c 3 x a3 ~ l mod p e . By Lemma I4.9[ any putative root ( G Q p of / 
must satisfy ord p C = 0. So /'(C) 7^0 mod p e and Hensel's Lemma implies that a root of / in 
Z/p 2e+1 Z is clearly a certificate for / having a root in Q p . Our certificate can also clearly be 
verified in time polynomial in size p (/) since size(p 2e+1 ) <3size(/). 

If e<e' then f'(x) = a 2 c 2 x a2 ~ 1 mod p e . Similar to the last paragraph, /'(C) 7^0 mod p e 
and we then instead employ a root of / in Z/p^Z with £ = 2e' + 1 as a certificate for / having 
a root in Q p . 

Now, if e = e', observe that ord p /'(C) = ord p ^=y since Lemma l4~9l tells us that ord P C = 
for any root (GC P . Since A^(/) 7^0, Corollary 15.31 then tells us that ord p (a 2 c 2 + a 3 c 3 ( a3 ~ a2 ) < +00. 
So ord p /'(C) < +00 for any root CgC p of / and then Corollary 15.31 tells us that 

ord p n / (c)=o/ , (C) = E / ( C )=oOrd p /'(C)=ord p ((a 3 - a 2 Y^afcf - (-a^c^c?) 
= a 3 e + ord p ((a 3 - a 2 ) az - ci2 a a 2 'c a 2 i - (-a 3 ) a3 cf " a2 c^ 2 ) . 

(since p e \a 2 , c 3 ). 

So by the m = 6 case of Yu's Theorem (using our current assumption that p can not 
divide a 2 , a 3 — a 2 , Ci, or c 3 ), we obtain 

E/(o=o ord p/'(C)=a3e + 0(psize(/) 8 ). 
Now, since p e \c 2 , a 3 , we have ord p /'(£) > e for any root ( e C p of /. So all roots ( G C p of / 
must satisfy 

ord p /'(C) < e + 0(psize(/) 8 ) < size(/) + 0(psize(/) 8 ). 
In other words, a root of / in 1j/p 0( - psize ^' -*Z suffices as a certificate, thanks to Hensel's 
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Lemma. 

' If the lower hull of Newt p (/) is not a line segment then (by rescaling / as detailed 
above), we may also assume that p\c\ but p ]/c 2l c 3 . Since gcd(a 2 , a 3 ) = 1, we may also assume 
(via rescaling and/or reciprocals) that p /a 2 a 3 , i.e., if p divides the length of any lower edge 
of Newtp(/) then it is the rightmost (now horizontal) edge. 

Via Theorem 15.41 and the binomial case of Assertion (1) we can easily decide (within time 
polynomial in size p (/)) the existence of a root of / in Z p with valuation v, where (v, 1) is 
an inner normal of the left lower edge of Newt p (/). So now we need only efficiently detect 
roots in Z p of valuation 0. Toward this end, let us now set e:=ord p ci and e': = ord p (a3 — 02). 
Clearly, e>0 or else we would be in the earlier case where Newt p (/) has lower hull a single 
edge. 

If e > e' then f(x) = C2X a2 + c 3 x a3 mod p e and thus /'(C) — a-iCiC,""" 1 -1 + clzc'^C," 13 ^ 1 = 
-^CsC 3-1 + as^C 3-1 = c 3 (a 3 - a 2 )C a3_1 mod p e for any root ( G C p of /. So /'(C) ^ 
mod p e for any root C e Z p of valuation and thus, by Hensel's Lemma, we can certify the 
existence of such a C in NP by a root of / in Z/p 2e+1 Z. 

If e < e' then f'(x) = a 2 c 2 x a2 ~ l + a 3 c 3 x a3 ~ 1 = a 3 c 2 x a2_1 + a 3 c 3 x a3_1 mod p e since a 3 = a 2 
mod p e ' . So /'(C) = a 3 c 2 C a2_1 - a 3 (ciC _1 + c 2 C a2 ~ 1 ) = -^f 1 ^ mod p e> for any root C e C p 
of /. So a root of / in Z/p 2e ' +1 Z serves as a certificate for a root of / in Z p . 

Finally, if e = e', observe that f'(x) = a 2 c 2 x a2 ~ x + a 3 c 3 x a3_1 and there are exactly a 2 
(resp. a 3 — a 2 ) roots of / in C p of valuation ^- (resp. 0) by Lemma I4T91 Using the fact that 

V /f a 2fl3C 2 c 3 , it is then easy to see that ord p /'(C) = {^~^ e f° r an y ro °t C £ C p of / with 
valuation — . 

The value of ord p /'(C) is harder to control at a root of valuation 0. So let us first observe 
the following: 

(*) ^ + /'(C) = + fl2C 2 C° 2 " 1 + as^C 3 " 1 = ^ + a^C 2 ' 1 + fl3C2C a3_1 = f /(C) = mod p e , 

for any root (£zC p of / of valuation 0. In other words, e<ord p /'(C) at any such root. So, 

similar to our earlier flat case, Part (1) of Corollary 15.31 implies the following: 

ord p A^(/) = -(a 2 -l)e+ £ /'(C) = £ /'(C)- 

/(C)=o /(C)=o 

ord,j=0 

On the other hand, since e = ord p (a 3 — a 2 ) = ord p Ci, Part (0) of Corollary 15.31 combined with 
the m = 6 case of Yu's Theorem implies that ord p A_4(/) = (a 3 — a 2 )e + 0(psize(/) 8 ). So any 
root C G C p of / having valuation must satisfy 

ord p f(C) < e + 0(psize(/) 8 ) < size(/) + 0(psize(/) 8 ). 
So again, a root of / in Z/p°^ size( -^Z suffices as a certificate, thanks to Hensel's Lemma. 



Remark 5.5 Note that if Newt p (/) is unramified as well as generic, then Theorem \5.4 
implies that we can in fact decide the existence of roots in Q p for f in P. 

Case (b): A^(/) = 

First note that, independent o/gcd(a 2 , a 3 ), a degenerate root of / in Q p admits a very simple 
certificate: a C€Z/p 4size ^ +1 Z satisfying c 2 (a 3 — a 2 )C a2 — Ci<2 3 = c 3 (a 3 — a 2 )C a3 — c\a 2 = mod 
p4size(/)+i_ Thanks to Corollary 15.31 and our proof of Assertion (0) in Section [31 it is clear 
that the preceding 2x1 binomial system has a solution iff / has a degenerate root in Q p . 
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So now we resume our assumption that gcd(a 2 ,ct3) = 1 and build certificates for the 
non- degenerate roots of / in Z p . Toward this end, observe that the proof of Corollary 15.31 
tells us that the unique degenerate root £ of / lies in Q* and satisfies [ci, C2C 12 , c 3 ( a3 ] = 
7[a 3 — a 2 , — 03, a 2 ] for some 7G Q. Clearly then, g(a;i) = ^/(C^i); an d / has exactly the same 
number of roots in Q p as q does. 

So we can henceforth restrict to the special case c\ = a 3 — 02, C2 = — a 3 , C3 = a 2 , and let 
r(xi) := and A := A{ 0i ... ia3 _2}( r )- Should p ){a 2 a 3 (a 3 — a 2 ) then / is clearly flat and 

thus all the roots of / have valuation 0. Part (4) of Corollary 15.31 tells us that ord p A < 
log p ((a 2 a 3 (a 3 — a 2 ))°^) = 0(log(a 2 ) + log(a 3 )) = 0(size(/)) and thus the product formula 
from Lemma 14.31 implies that ord p r'(£) = 0(size(/)) at any root ( G C p of r. So a root 
C eZ/p°( size ^)Z of r suffices as a certificate for / to have a root in Q p other than 1. (Note 
also that by construction, r can clearly be evaluated mod p°( slze (f» within a number of 
arithmetic operations quadratic in size p (/).) 

So let us assume that p divides exactly one number from {02, a 3 , a 3 — a 2 }. (Otherwise, p 
would divide all 3 numbers, thus contradicting the assumption gcd(a 2 , a 3 ) = 1.) 

Should p\a 3 then / is clearly flat and, by Lemma [4.9[ every root of r has valuation 0. 
This implies ord p r'(£) > at any root ( G C p of r. So by Part (4) of Corollary 15.31 and the 
product formula from Lemma I4.3[ we obtain that 

ord p A = (a 3 - 3)ord p (a 2 ) + £ ord p r'(C) = (a 3 + 0(l))ord p (a 2 ). 

r(C)=0 

So ord p r'(£) = 0(ord p a 2 ) = 0(size(/)) at any root ( G C p and we can again use a root 
( eZ/p o( - size< - f)) Z of T clS £L certificate for / to have a root in Q p other than 1. 

Replacing / by the reciprocal polynomial /* if need be, we are left with the case 
p\(a 3 — 02). By Lemma I4.9[ / clearly has exactly a 2 (resp. a 3 — a 2 ) roots of valuation 
ord p (a3-a 2 ) >Q ^ egp [n observe that /' (C)=a2a 3 C a2 ~ 1 (C a3 ~ a2 - !)• 
For C G C a root of f with valuation ort M a 3- a 2) we th en obtain 

ord p f'(0 = ^ord p (a 3 - a 2 ) = 0(size(/)). 
In other words, we can simply apply Hensel's Lemma to / and use a root of / in 
p ord p (a3-a 2 )/a 2 ( Z /p2ord p (a 3 -a 2 )+i Z ) as a cert ifi C ate for a non-degenerate root of / in Q p . 

For (eC p a root of / with valuation we then obtain ord p /'(C) >ord p (a 3 — a 2 ), thanks 
to identity (*) from the non-degenerate case. Note also that r'(Q = ^„^ 2 — 2 t^z^s = ([ll]? ■ 
Employing the product formula from Lemma 14.31 we then obtain 

ord p A=( £ ord p f(0] -2ord p ft (C-l)=[ £ ord p f (C) ) - 2ord p r(l) 

\r(f)=0 / r(C)=0 \r(O=0 J 

since p \a 2 . From our proof of Part (4) of Corollary 15.31 it easily follows that 
l r (l)| < ^203(03 — a 2) and thus ord p r(l) < log p (a 2 a 3 (a3 — a 2 )). So, applying Part (4) of 
Corollary 15.31 one last time we obtain 

J2 ordpf (C) < (a 3 + 0(l))ord p (a 3 - a 2 ) + log p (a 2 a 3 (a3 - 0-2))- 

r(C)=0 

and thus 

£ ord p /'(C) < ( fl 3 -a 2 + 0(l))ord p (a 3 - a 2 ) + \og p (a 2 a 3 (a 3 - a 2 )). 

r(C)=0 
ordpf =0 

Since ord p /'(£) > ord p (a3 — a 2 ) at a valuation root ( G C p of /, and there are exactly 03 — a 2 
such roots, we therefore must have 
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ord p / / (C) = 0(l)ordp(a 3 - a 2 ) + log p (a 2 a 3 (a 3 - a 2 )) = 0(size(/)). 
So we can certify non-degenerate roots ( G Q p of / with valuation by a root (o G Z/p°( slze ^Z 
of r mod p°( size (/)) not divisible by p ° rd p( a 3-a2)/a 2- 

Wrapping up the case gcd(a 2 ,a 3 ) > 1: From our preceding arguments, we see that we 
are left with certifying the existence of non-degenerate roots in the case o:=gcd(a 2 , a 3 ) > 1. 
Fortunately, this is simple: we merely find a root non-degenerate root (q G Z/j/Z of / := 
C\ + c 2 x a2 ^ 9 + c 3 x a3//9 as before (with I depending on the case / falls into), also satisfying the 
condition that x 9 — Co has a root in Z/j/Z. Thanks to Corollary 13.21 we are done. ■ 



6 NP-hardness in One Variable: Proving Assertions 
(4) and (5) 

We will first need to develop two key ingredients: (A) Plaisted's beautiful connection between 
Boolean satisfiability and roots of unity, and (B) an algorithm for constructing moderately 
small primes p with p — 1 having many prime factors. 



6.1 Roots of Unity and NP-Completeness 

Let us define [n] := {1, . . . , n}. Recall that any Boolean expression of one of the following 
forms: 

(0) Vi V Vj V y k , V yj V y k , V V y k , ^y { V V -ry k , with i, j, k G [3n], 
is a 3CNFSAT clause. A satisfying assigment for an arbitrary Boolean formula B(yi, . . . ,y n ) 
is an assigment of values from {0, 1} to the variables y±, . . . ,y n which makes the equality 
B(yi, . . . , y n ) = 1 true. Let us now refine slightly Plaisted's elegant reduction from 3CNFSAT 
to feasibility testing for univariate polynomial systems over the complex numbers |Pla84| 
Sec. 3, pp. 127-129]. 

Definition 6.1 Letting P := (pi, . . . ,p n ) denote any strictly increasing sequence of primes, 
let us inductively define a semigroup homomorphism Vp - - the Plaisted morphism with 
respect to P — from certain Boolean expressions in the variables yx,...,y n to Z[x] ; as 
followsR (0) Dp := niLiPi, (1) V P (0) := I, (2) V P { Vl ) := x D ^ - I, (3) V P (^B) := 
(x Dp — 1) /Vp(B) , for any Boolean expression B for which Vp(B) has already been defined, 
(4) Vp(Bi V B 2 ) :—lcm(Vp(Bx), Pp(i? 2 )) ; for any Boolean expressions B\ and B 2 for which 
Vp(Bi) and Vp(B 2 ) have already been defined, o 



Lemma 6.2 lPla84 , Sec. 3, pp. 127-129] Suppose P = (pi)k =1 is an increasing sequence of 



primes with log(pfc) = 0(k 1 ) for some constant 7. Then, for all n G N and any clause C of 
the form (<)), we have size (Vp(C)) polynomial in n 1 . In particular, Vp can be evaluated at 
any such C in time polynomial in n. Furthermore, if K is any field possessing Dp distinct 
Dp— roots of unity, then a 3CNFSAT instance B(y) := Ci(y) A • • ■ A Ck(y) has a satisfying 
assignment iff the univariate polynomial system Fp := (Vp(Ci), . . . , Vp{C k )) has a root (&K 
satisfying ( Dp — 1 . ■ 



7 Throughout this paper, for Boolean expressions, we will always identify with "False" and 1 with 
"True". 
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Plaisted actually proved the special case K = C of the above lemma, in slightly different 
language, in |Pla84] . However, his proof extends verbatim to the more general family of 
fields detailed above. 

A simple consequence of the resultant is that vanishing at a D— root of unity is alge- 
braically the same thing over C or Q p , provided p lies in the right arithmetic progression. 

Lemma 6.3 Suppose DgN, /eZ[x] ; and p is any prime congruent to 1 mod D. Then f 
vanishes at a complex D— root of unity -<=>- / vanishes at a D— root of unity in Q p . 

Remark 6.4 Note that x 2 + x + 1 vanishes at a 3— root of unity in C, but has no roots at 
all in F5 or Q5. So our congruence assumption on p is necessary, o 

Proof of Lemma 16. 3t First note that by our assumption on p, Q p has D distinct D— roots 
of unity: This follows easily from Hensel's Lemma and F p having D distinct D— roots of 
unity. Since Z ■=->■ Q p and Q p contains all D— roots of unity by construction, the equivalence 
then follows directly from Lemma 2.8. ■ 



6.2 Randomization to Avoid Riemann Hypotheses: Proving 
Theorem 11.71 

The result below allows us to prove Theorem 1 1 . 71 and further tailor Plaisted's clever reduction 
to our purposes. We let ir(x) denote the number of primes < x, and let ti(x; M, 1) denote 
the number of primes < x that are congruent to 1 mod M. 



The AGP Theorem (very special case of \AGP9\ , Thm. 2.1, pg. 712]) There exist x >0 



and an £ e N such that for each x > xq, there is a subset V(x) C N of finite cardinality I 
with the following property: If M EN satisfies M < x 2 / 5 and a f\M for all a <EV(x) then 



ir(x:MA)> 



tt(x) 
2<p(M) ' 



For those familiar with |AGP94| Thm. 2.1, pg. 712], the result above follows immediately 
upon specializing the parameters there as follows: 

(A s, 5, y, a) = (49/20, 1/2, 2/245, x, 1) 

(see also |vzGKS96l Fact 4.9]). 

The AGP Theorem enables us to construct random primes from certain arithmetic pro- 
gressions with high probability. An additional ingredient that will prove useful is the famous 
AKS algorithm for deterministic polynomial-time primality checking [AKS02J. Consider now 
the following algorithm. 

Algorithm 6.5 

Input: A constant 5 > 0, a failure probability e G (0,1/2), a positive integer n, and the 
constants xq and I from the AGP Theorem. 

Output: An increasing sequence P=(pj)'j =l of primes, andcEN, such that p:=l + cLJ™ =1 pi 
satisfies \ogp = 0(n\og(n) +log(l/e)) and, with probability 1 — e, p is prime. In particular, 
the output always gives a true declaration as to the primality of p. 

Description: 

0. Let L:=\2/e]£ and compute the first nL primes Pi, ■ ■ ■ ,p n L in increasing order. 
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1. Define (but do not compute) Mj '=Y[ J kL(j-i) n +iPk f or any j&N. Then compute Ml, Mi 



for a uniformly random i&[L], and x : = max < Xq, 17, 1 + M 



if 

2. Compute K := [(x - 1)/Mjj and J:= f21og(2/e) logo;]. 

3. Pick uniformly random c £ [K] until one either has p := 1 + cMj prime, or one has J 
such numbers that are each composite (using primality checks via the AKS algorithm 
along the way). 

4- If a prime p was found then output 

"1 + c YlJLa-i)n+i Pi is a P rime tnat works!" 
and stop. Otherwise, stop and output 

"I have failed to find a suitable prime. Please forgive me." o 

Remark 6.6 In our algorithm above, it suffices to find integer approximations to the under- 
lying logarithms and square-roots. In particular, we restrict to algorithms that can compute 
the \og 2 C most significant bits of log C, and the ~log 2 £ most significant bits of \/C, using 
0((log£)(loglog£) logloglog£) bit operations. Arithmetic- Geometric Mean Iteration and 
(suitably tailored) Newton Iteration are algorithms that respectively satisfy our requirements 
(see, e.g., IBerOSf for a detailed description), o 

Proof of Theorem II. 7t It clearly suffices to prove that Algorithm 16.51 is correct, has a 
success probability that is at least 1 — e, and works within 

0^)~ 2+S + (nlog(n) +log(l/£)) 7+5 ) 
randomized bit operations, for any 5>0. These assertions are proved directly below. ■ 
Proving Correctness and the Success Probability Bound for Algorithm 16. 5t First 
observe that Mi, . . . , Ml are relatively prime. So at most £ of the Mj will be divisible by 
elements of V(x). Note also that K> 1 and 1 + cM { < 1 + KM { < 1 + ((x - 1) /Mi)M t = x for 
all ie[L] and c<E[K]. 

Since x > x and x 2/5 > (x - 1) 2/5 > (Mf /2 ) 2/5 = M t for all i e [L], the AGP Theorem 
implies that with probability at least 1 — | (since i £ [[2/e"|^] is uniformly random), the 
arithmetic progression {1 + M i; . . . , 1 + KMi] contains at least 2 y(M.) — fj^ primes. In 
which case, the proportion of numbers in {1 + Mi, . . . , 1 + KMi} that are prime is ^km- > 
_^_ >£ /^ £ = _j_^ gince 7r ( a .) >a ./i oga . f or a n x >i7 pS9Bl Thm. 8.8.1, pg. 233]. So 
let us now assume that i is fixed and Mi is not divisible by any element of T>(x). 

Recalling the inequality (l — |) c * < e~ c (valid for all c > and t > 1), we then see 

that the AGP Theorem implies that the probability of not finding a prime of the form 

j 



P- 



1 + cMj after picking J uniformly random c £ [K] is bounded above by ^1 — 2l l gx 



< 



21og(2/ £ )logx 

1-»tM < e - lo g( 2 / £ ) = f. 

2 log x) — 2 

In summary, with probability > 1 — | — | = 1 — e, Algorithm 16.51 picks an i with Mi not 
divisible by any element of T>(x) and a c such that p:—l + cMi is prime. In particular, we 
clearly have that 

logp=0(log(l + i0^))=0(nlog(n) +log(l/e)). ■ 
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Complexity Analysis of Algorithm 16. 5t Let V := nL and, for the remainder of our 
proof, let Pi denote the i— prime. Since L'>6, we have that 

PL'<L'(\og(L') + \og\ogL') 
by [BS961 Thm. 8.8.4, pg. 233]. Recall that the primes in [£] can be listed simply by deleting 
all multiples of 2 in [£], then deleting all multiples of 3 in [C], and so on until one reaches 
multiples of [v^J- (This is the classic sieve of Eratosthenes.) Recall also that one can 
multiply an integer in and an integer [u] within 

O ( (log fl) (lo g log v ) (log log log v) + (log u) (log log fl) log log log fl) 
bit operations (see, e.g., |BB96] Table 3.1, pg. 43]). So let us define the function A(a) : = 
(log log a) log log log a. 

Step 0: By our preceding observations, it is easily checked that Step takes 0(L' 3 ^ 2 log 3 L') 
bit operations. 

Step 1: This step consists of n — 1 multiplications of primes with O(logL') bits (resulting 
in Ml, which has 0(n log 17) bits), multiplication of a small power of Ml by a square root of 
Ml, division by an integer with 0{n log V) bits, a constant number of additions of integers 
of comparable size, and the generation of O(logL) random bits. Employing Remark 2.4 
along the way, we thus arrive routinely at an estimate of 

O (n 2 (logL')A(L') + log(l/e)A(l/e))) 
for the total number of bit operations needed for Step 1. 

Step 2: Similar to our analysis of Step 1, we see that Step 2 has bit complexity 

0((n log(L') + log(l/e))A(ra log L')). 
Step 3: This is our most costly step: Here, we require 

0(log K) = 0(n log(L') +log(l/e)) 
random bits and J = 0(log x) =0(n log(L') + log(l/e)) primality tests on integers with 

0(log(l + cM t )) = 0(n\og(L') + log(l/e)) 

bits. By an improved version of the AKS primality testing algorithm [AKS02, LP05J (which 
takes 0(N 6+S ) bit operations to test an iV bit integer for primality), Step 3 can then clearly 
be done within 

0((n\og(L') + \og(l/e)) 7+s ) 
bit operations, and the generation of 0(n log(L') + log(l/e)) random bits. 
Step 4: This step clearly takes time on the order of the number of output bits, which is 
just 0(nlog(n) + log(l/e)) as already observed earlier. 

Conclusion: We thus see that Step and Step 3 dominate the complexity of our algorithm, 
and we are left with an overall randomized complexity bound of 

o(L /3 / 2 log 3 (L') + (nlog(L') + log(l/e)) 7+<5 ) 
= o((f) 3/2 log 3 (n/e) + (nlog(n) + \og(l/e)) 7+5 ) 

= °((i) l+s + (™ lo sW + MV^)) 7+5 ) 

randomized bit operations. ■ 

6.3 The Proof of Assertion (4) 

We will prove a (ZPP) randomized polynomial-time reduction from 3CNFSAT to 
FEASQ primcs (Z[x] x P), making use of the intermediate input families {(Z[x]) fc | A;GN} x P and 
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Z[x] x {x D - 1 | DeN} x P along the way. 

Toward this end, suppose B(y) := C\(y) A • • • A C^{y) is any 3CNFSAT instance. The 
polynomial system (Vp(Ci), . . . ,Vp(Ck)), for P the first n primes (employing Lemma 16.21) . 
then clearly yields FEASc({(Z[a;]) fe | A;GN}) gP ==>• P = NP. Composing this reduction with 
Proposition 2.6, we then immediately obtain FEAS c (Z[:r] x{x D -l | DgN})gP =^P = NP. 

We now need only find a means of transferring from C to Q p . This we do by preceding 
our reductions above by a judicious (possibly new) choice of P: by applying Theorem 11.71 
with e = l/3 (cf. Lemma 16. 3p we immediately obtain the implication 

FEAS Qprimcs ((Z[x] x {x D - 1 | £>6N}) x P)gZPP NPCZPP. 

To conclude, observe that any root (x, y) G Q 2 \{(0, 0)} of the quadratic form x 2 —py 2 must 
satisfy 2ord p x = 1 + 2ord p ?/ (an impossibility). So the only p-adic rational root of x 2 — py 2 is 
(0, 0) and we easily obtain a polynomial-time reduction from 
FEAS Qprimes ((Z[x] x {x D - 1 | D G N}) x P) to FEAS QprimM (Z[x] x P): simply map any 
instance (f(x),x D — l,p) of the former problem to (f(x) 2 — (x D — l) 2 p,p). So we are 
done. ■ 

6.4 The Proof of Assertion (5) 

If we also have the truth of the Wagstaff Conjecture then we simply repeat our last proof, 
replacing our AGP Theorem-based algorithm with a simple brute-force search. More pre- 
cisely, letting D :=2 ■ 3 ■ ■ -p n , we simply test the integers 1 + kD for primality, starting with 
k = l until one finds a prime. If Wagstaff 's Conjecture is true then we need not proceed any 

farther than k = o(^§± log 2 D\ . (Note that 1 < < D for all D > 2.) Using the AKS 

algorithm, this brute-force search clearly has (deterministic) complexity polynomial in log D 
which in turn is polynomial in n. I 

7 The Final Corollaries 

7.1 Proof of Corollary Q 

Our proof of Assertion (1) of Theorem 11.21 is. in retrospect, a polynomial-time reduction 
from FEASq ^^(^1,3) to FEAS^/p^J-i^) with £ = 0(psize(/) 8 ). Combining this reduction 
with the hypothesis of Corollary 11.31 then clearly implies that FEASq^J 7 !^) can be solved in 
time polynomial in p + size(/) 8 , so we are done. ■ 

7.2 Proof of Corollary liTBI 

By Lemma [4.31 we know that A^/) has degree at most 2d — 1 in the coefficients of /. We 
also know that for any fixed / G T^(H), A^(f) is an integer as well, and is thus divisible 
by no more than 1 + (2d — 1) log(mif)) primes. (The last assertion follows from Lemma 
14.31 again, and the elementary fact that an integer has no more than 1 + log A^ distinct 
prime factors.) Recalling that ir(x) >x/\ogx for all x> 17 [BS96, Thm. 8.8.1, pg. 233], we 
thus obtain that the fraction of primes <H dividing a nonzero Aa(I) is bounded above by 

l+(2d-l) log(mff) 
H/ log H 
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Now by the Schwartz-Zippel Lemma [Sch80] , A^(f) vanishes for at most (2d—l)m(2H) m 1 
selections of coefficients from {—H, . . . , H}. In other words, A^(/) = for a fraction of at 
most °^ ^ ne polynomials in Tj,{H). 

Combining our last two fractional bounds, we are done. ■ 
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